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VMware and Hyper-V Configuration 
Import and Register your WAF Appliance 


VMware and Hyper-V Configuration 


Follow the steps below to deploy your WAF firewall cluster in VMware (vCenter) or 
Microsoft Hyper-V and configure your DNS. You'll need to funnel traffic through the WAF 
cluster by changing your DNS. 


Once you complete these steps, we'll start monitoring your web application for security 
violations. Also your WAF cluster will start making outbound connections to the Qualys 
Cloud Platform for regular health checks - these confirm the cluster is properly configured 
and has the latest software. 


Tell me the steps 


1) Download the OVA image (VMware) or the VHD image (Hyper-V). You'll get the image 
when you add a new WAF appliance (go to WAF Appliances » WAF Clusters, click the New 
WAF Appliance button). 


2) Import the image in your virtualization platform. The OVA image supports VMware for 
production (and can be used in VirtualBox for test purposes only), while the VHD image 
supports Microsoft Hyper-V. 


3) Set up the virtual appliance using the CLI (Command Line Interface). 
4) Verify the registration of the appliance. 


5) Test availability of your web application through Qualys WAF. Once confirmed, you'll 
need to alias DNS entries to direct traffic at your origin infrastructure. 


Import and Register your WAF Appliance 


Using vCenter 
Start your VMware Client. 


Choose "Deploy OVA File". This starts the OVA Template wizard. Browse to the downloaded 
OVA and select it (or enter the URL where the OVA can be downloaded). 


E Deploy OVF Template o |E fe) 
Source 
Select the source location. 


Source 
OVF Template Details 
ation 


Deploy from a file or URL 


v] Browse... 


Enter a URL to download and install the OVF package from the Internet, or 
specify a location accessible from your computer, such as a local hard drive, a 
network share, or a CD/DVD drive. 


VMware and Hyper-V Configuration 
Import and Register your WAF Appliance 


Using Hyper-V 
Start your Hyper-V Manager. 


Select New > Virtual Machine... and using the “New Virtual Machine Wizard” create a new 
virtual machine. 


FE Hyper-V Manager epe ss 
File Action View Help 
€ àm Biss 
33 Hyper-V Manager Actions 
Hen IT mam e 
Name State CPUUsage Assif New n 
No vitual machines were found onthis ser | È, Import Virtual Machine... 
[A Hyper-V Settings... 
WE Virtual Switch Manager... 
al Virtual SAN Manager... 
qe m gÅ Edit Disk... 
Checkpoints a Inspect Disk... 
(8) Stop Service 
No vitual machine selected. XK Remove Server 
Q Refresh 
View » 
H Hep 
Details 
No tem selected. 


Good to know 


Hyper-V appliance currently does not support static network configuration through the 
CLI. You will need to setup an external DHCP configuration, and configure it to provide a 
permanent IP address to the VM's mac-address. Bear this in mind especially if you're using 
a virtual switch for WAF connectivity, on Hyper-V Manager. To monitor your network 


configuration through CLI, you can use “ifconfig”, “show network", “network [help]”, and 
“routes [help]” commands. 


Step through the wizard 

We provide a default name for your WAF instance, and you can change it. Select disk 
format and mapping settings appropriate for your environment. Do not set WAF-specific 
properties in the wizard as they are deprecated and will be removed in a future release. 
You will set properties using the CLI. See Set Up the Appliance using the CLI 


VMware and Hyper-V Configuration 
Set Up the Appliance using the CLI 


Set Up the Appliance using the CLI 


Log in as “waf-user” via SSH or System Console 
The first login forces you to change your password. 


/ s ssh waf-user@10.1.1.5 UN 


You are required to change your password immediately (root 
enforced) 

WARNING: Your password has expired. 

You must change your password now and login again! 
Changing password for user waf-user. 

New password: C-om34EhbTz.6aiMU4C 

Retype new password: C-om34EhbTz.6aiMU4C 

passwd: all authentication tokens updated successfully. 


Connection to 10.1.1.5 closed. 


Ne P" 


Configuration 


Set the required properties: waf service url (URL of Qualys Cloud Platform hosting your 
account) and registration code. See WAF registration parameters. More properties may be 
required depending on your networking environment. See CLI Reference for details. 


r ssh waf-user@10.1.1.5 UN 


qualys waf # help 
Commands (type help <command>) : 


deregister help passwd save show status viewlog diag ifconfig 
reboot set shutdown sysinfo waf exit network routes setup ssh 
unset 


qualys waf # set 
Syntax: set KEY-VALUE 
Valid keys: 

waf service url 
proxy url 
sem syslog addr 
registration code 
waf ssl passphrase 


qualys waf # set waf service url-https://rns.qualys.com 
qualys waf # set registration code-A30BC162-785A-4BAF-AB5D5- 
1A2DE9C6DA3A 

qualys waf # save 


dile Successfully » 


VMware and Hyper-V Configuration 
Reboot may be required 


Reboot may be required 


..if you are changing the token (e.g. re-registration). 


cm waf # reboot UN 


Are you sure you want to reboot? <y/N> y 
Rebooting 


Broadcast message from waf-user@dhcp-10-1-1-5 
(/dev/pts/0) at 18:05 


The system is going down for reboot NOW! 
Connection to 10.1.1.5 closed. 


P 


Verify Registration 


You can do this using the CLI as shown below, or the WAF user interface (go to WAF 
Appliances » WAF Clusters). 


/^ C nadye waf # status ^N 


Checking status.... Done. 

Connectivity to Qualys: OK 

Registration status: OK 

Sensor Id: 2b9af5aa-f99e-45bf-86dd-3d45a4d6b3f7 
Registration Code: 3F159371-6188-4B7C-8C6D-48E764ADFO00D 
qualys waf # quit 


Connection to 10.1.1.5 closed. 


Note: When you check the appliance status, "Connectivity to Qualys" may show OK even if 
you do not set the WAF SERVICE URL. This is because WAF SERVICE URL takes the 
default value https://rns.qualys.com:443/ when not explicitly set to a custom value. 


That's it! You've configured your WAF virtual appliance. Once you're done we'll start a 
distributed network of sensors for your WAF cluster. Also your WAF cluster will start 
making outbound connections to the Qualys Cloud Platform. 


WAF registration parameters 


VMware and Hyper-V Configuration 
WAF registration parameters 


While registering a WAF appliance, you need to provide WAF registration code and other 


properties as appropriate using the variables below: 


Variable Description 


WAF_SERVICE_URL Required) The URL of the Qualys Cloud Platform hosting your 


Note: When you check the appli 


Qualys account. Supported platform URLs are: 


US Platform 1 https://rns.qualys.com 
US Platform 2 https://rns.qg2.apps.qualys.com 
US Platform 3 https://rns.qg3.apps.qualys.com 
EU Platform 1 https://rns.qualys.eu 
EU Platform 2 https://rns.qg2.apps.qualys.eu 
India Platform 1  https:;//rns.qg1.apps.qualys.in 


ance status, "Connectivity to 


Qualys" may show OK even if you do not set the WAF SERVICE URL. 
This is because WAF. SERVICE URL takes the default value 
https://rns.qualys.com:443/ when not explicitly set to a custom 


value. 


REGISTRATION. CODE (Required) Enter the WAF registration code in this format: 


REGISTRATION. CODE-your. code. You can find this code by going 
to the WAF clusters list (WAF Appliances » WAF Clusters). 


PROXY URL (Required if a proxy is required for the WAF cluster to access the 
Qualys Cloud Platform) If the WAF needs to connect to the Qualys 
Cloud Platform through an HTTP proxy, please input the URL of the 


proxy. Enter the proxy URL in th 


is format: PROXY URL-proxy url 


WAF SSL PASSPHRASE (Required if the appliance protects a site communicating over SSL) 
If your web application's primary or secondary base URL uses the 
HTTPS protocol, the Qualys Cloud Platform portal protects the 
private key by encrypting it with a 64 byte dedicated passphrase. 
This way, it's not accessible in clear on the Qualys Platform. This 
WAF SSL PASSPHRASE needs to be set on the appliance, for 
decrypting the key. Enter the passphrase in this format: 
WAF SSL PASSPHRASE-passphrase 


Amazon EC2 Configuration 
Launch New EC2 Instance 


Amazon EC2 Configuration 


Follow the steps below to deploy your WAF firewall cluster in Amazon EC2 and configure 
your DNS. You'll need to funnel traffic through the WAF cluster by changing your DNS. 


Once you complete these steps, we'll start monitoring your web application for security 
violations. Also your WAF cluster will start making outbound connections to the Qualys 
Cloud Platform for regular health checks - these confirm the cluster is properly configured 
and has the latest software. 


Launch New EC2 Instance 


1) Go to your Amazon EC2 Dashboard and launch an instance 


Services v eschamp @ qualys-dev v N. Virginia ~ Help ~ 
EC2 Dashboard Resources C Account Attributes ¢ 
Events 4 
Tags You are using the following Amazon EC2 resources in the US East (N. Virginia) region Supported Platforms 
EC2 
Reports 3 Running Instances 7 Elastic IPs vec 
84 Volumes 37 Snapshots 
E s eee 11 Key Pairs 0 Load Balancers Additional Information 
Moles 0 Placement Groups 17 Security Groups 
Spot Requests Getting Started Guide 
Reserved Instances @ Focus on application development and offload database management to AWS - Try Documentation 
Amazon RDS Now! All EC2 Resources 
=] IM Hide 
AMIS Forums 
Pricing 


Bundle Tasks 
Create Instance Contact Us 


To start using Amazon EC2 you will want to launch a virtual server, known as an Amazon EC2 


ELASTEG HOEK SICRE instance. Popular AMIs on AWS 

Volumes Marketplace 

Snapshots Launch Instance 

Vyatta Virtual Router/Firewall/VPN 

- RIT Note instances will launch in the US East (N. Virginia) region Provided by Vyatta, Inc 

Security Groups Rating s 

Elastic IPs Service Health C Scheduled Events C* Pay by the hour for software and 

Placement Groups AWS usage 

Service Status: US East (N. Virginia): View all Networking Software 
Load Balancers " i 
o events 
Key Pairs o penis (N. Virginia) i Alert Logic Threat Manager for 
— is service is operating normally AWS (EC2) 
© 2008 - 2014, Amazon Web Services, Inc. or its affiliates. All rights reserved Privacy Policy Terms of Use Feedback 


Amazon EC2 Configuration 
Launch New EC2 Instance 


2) Choose the WAF AMI 
Click My AMIs (1) and then select the QualysGuard WAF AMI (2). 


Tip Use the search box to find this quickly. Just enter "WAF" and click Enter. 


Services v eschamp @ qual N. Virginia ~ Help v 
1. Choose AMI 2. Choose Instance Type 3. Configure Instance 4. Add S g 5. Tag Instance 6. Configure Security Group T. Review 
Step 1: Choose an Amazon Machine Image (AMI) Cancel and Exit 


An AMI is a template that contains the software configuration (operating system, application server, and applications) required to launch your instance. You can select an 
AMI provided by AWS, our user community, or the AWS Marketplace; or you can select one of your own AMIS. 


Quick Start 1 1 to 1 of 1 AMIs 


ui i 
AWS Marketplace 4 QualysGuard WAF - 2014.02.03.00 - ami-a38fb4ca C EE `) 
QualysGuard WAF - 2014.02.03.00 
64-bit 


communi oM Root device type: ebs Virtualization type: paravirtual Owner: 205767712438 2 


* Ownership 


#) Owned by me 
Shared with me 


Y Architecture 


32-bit 
64-bit 


vices, Inc. or its affiliates. All rights reserved. Privacy Policy Terms of Use Feedback 


Don’t see the WAF AMI? Please contact your Technical Account Manager or our Support 
Team for assistance. 


3) Choose Instance Type 
You'll choose from a wide variety of instance types. 


Services v eschamp @ qualys-dev y N. Virginia v Help v 


1. Choose AMI 2. Choose Instance Type 3. Configure Instance 4. Add Storage 5. Tag Instance 6. Configure Security Group 7. Review 


Step 2: Choose an Instance Type 


Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instances are virtual servers that can run applications. They have varying 
combinations of CPU, memory, storage, and networking capacity, and give you the flexibility to choose the appropriate mix of resources for your applications. Learn more 
about instance types and how they can meet your computing needs 


Select an instance type and then click “Next: Configure Instance Details”. 


Cancel Previous Review and Launch Next: Configure Instance Details 
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Amazon EC2 Configuration 
Add Your WAF AMI to the Load Balancer 


4) Configuration 


Open Advanced Details. In the User Data field, enter your WAF registration code and other 
properties as appropriate. See WAF registration parameters. 


5) Additional steps (optional) 
You might want to add storage, tag the instance and configure security groups. 


6) Click Review and Launch 


Be sure to wait until the WAF AMI status is green (this means it’s running). Then you're 
ready to add the AMI instance to the EC2 load balancer (see the next section). 


Add Your WAF AMI to the Load Balancer 


1) Create an HTTP Load Balancer Instance 


Create a New Load Balancer Cancel x ] 


© 
DEFINE LOAD 
BALANCER 


This wizard will walk you through setting up a new load balancer. Begin by giving your new load balancer a unique name 
so that you can identify it from other load balancers you might create. You will also need to configure ports and protocols 
for your load balancer. Traffic from your clients can be routed from any load balancer port to any port on your EC2 
instances. By default, we've configured your load balancer with a standard web server on port 80. 


Load Balancer Name: 


Create LB inside: | (c; 
(what's this?) 


Listener Configuration: 


Load Balancer Protocol Load Balancer Port Instance Protocol Instance Port Actions 


| 

HTTP 80 HTTP 80 E | 

| HTTP +) | HTTP ail | ] | 
Continue [J| 


2) Set up your Health Checks 


Choose the TCP Ping Protocol option. Later, when your web application is online, you can 
choose a URL for a comprehensive health check. 
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Amazon EC2 Configuration 
Add Your WAF AMI to the Load Balancer 


Create a New Load Balancer Cancel |x 
= O 
DEFINE LOAD CONFIGURE 
BALANCER HEALTH CHECK 


Your load balancer will automatically perform health checks on your EC2 instances and only route traffic to instances that 
pass the health check. If an instance fails the health check, it is automatically removed from the load balancer. Customize 
the health check to meet your specific needs. 


Configuration Options: 
Ping Protocol: | TCP =) 


Ping Port: 80 


Advanced Options: 
. [& 1 Time to wait when receiving a response from 
Response Timeout: |5 So the health check (2 sec - 60 sec). 
Health Check Interval: 0.5 | Minutes Amount of time between health checks (0.1 min 
oe - 5 min) 
* p—————— Number of consecutive health check failures 
Unhealthy Threshold: 2345678910 before declaring an EC2 instance unhealthy. 
" O= Number of consecutive health check successes 
Heakiy Threshold: 2345678910 before declaring an EC2 instance healthy. 


« Back [conos i3 


3) Add Your WAF Instance in the Cluster 


Click the "Select" check box beside your WAF instance to add it to the load balancer. Your 
load balancer is now created and will soon be able to handle requests. 


Create a New Load Balancer Cancel |x 
v v O 
DEFINE LOAD CONFIGURE ADD EC2 
BALANCER HEALTH CHECK INSTANCES 


The table below lists all your running EC2 Instances that are not already behind another load balancer or part of an auto- 
scaling capacity group. Check the boxes in the Select column to add those instances to this load balancer. 


Manually Add Instances to Load Balancer: 


Select Instance Name State Security Groups Availability Zone 
(os) iDee4fd43_ DRUPAL | Qj running quicklaunch-1 eu-west-1b 
M i-2ce6ff61 WAF @ running quicklaunch-1 eu-west-1b 


select all | select none 


Availability Zone Distribution: 


1 instances in eu-west-1b 


< Back ETE] 
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Amazon EC2 Configuration 
Add Your WAF AMI to the Load Balancer 


4) Redirect Your Traffic to the Load Balancer Hostname 


Test the availability of your web application through the load balancer. Once confirmed, 
you'll need to alias your DNS entries to the Amazon EC2 load balancer you just created. 


Services v E 


EC2 Dashboard 
Events 
Tags 


=) INS NCES 
Instances 
Spot Requests 
Reserved Instances 


=) IMAGES 
AMIs 
Bundle Tasks 


=) ELASTIC BLOCK 
Volumes 
Snapshots 


=) NETWORK & SE 
Security Groups 
Elastic IPs 
Placement Groups 
| Load Balancers 


mestrade @ qualys-waf - Irelandy — Help 


Create Load Balancer | Delete c 9 e 
Viewing: | All Load Balancers + |( Sear ) 1t020f21tems 9 
(|) Load Balancer Name DNS Name Port Configuration Availability Zones 
ak Front-LB Front-LB-236248070.eu-west-1.elb.amazonaws 80 (HTTP) forwarding to 80 (HTTP) ^ eu-west-1b 
M ok MyLB MyLB-575416379.eu-west-1.elb.amazonaws.cc 80 (HTTP) forwarding to 80 (HTTP) — eu-west-1b 
1 Load Balancer selected 
xk Load Balancer: MyLB mom m 


Description Instances Health Check || Monitoring Security Listeners 


DNS Name: MyLB-575416379.eu-west-1.elb.amazonaws.com (A Record) 
ipv6.MyLB-575416379.eu-west-1.elb.amazonaws.com (AAAA Record) 
dualstack.MyLB-575416379.eu-west-1.elb.amazonaws.com (A or AAAA Record) 


Note: Because the set of IP addresses associated with a LoadBalancer can change over time, 
vou should never create an "A" record with anv «necific TP address. Tf vou want to use a friendiv 


That's it! You've configured your WAF virtual appliance. Once you're done we'll start a 
distributed network of sensors for your WAF cluster. Also your WAF cluster will start 
making outbound connections to the Qualys Cloud Platform (HTTPS over TCP-443). 
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Microsoft Azure Configuration 
Deploy WAF on Azure 


Microsoft Azure Configuration 


Follow the steps below to deploy your WAF firewall on Microsoft Azure. 


Once you complete these steps, we'll start monitoring your web application for security 
violations. Also your WAF appliance will start making outbound connections to the Qualys 
Cloud Platform for regular health checks. This confirms that the appliance is properly 
configured and has the latest software. 


Deploy WAF on Azure 

1) Go to your Azure Dashboard and under Images find the Qualys WAF 
image. 

Click All services, and then click Images. Search for the WAF image. 

Tip Use the search box to find this quickly. Just enter "WAF" and click Enter. 


Microsoft Azure JP. Search resources, services, and docs (G+/) 


All services 
Images ^£ x 
qualysaaure 

+ Create (D Manage view ~ C) Refesh + Export tocsv Sf Openquey | © AP Feedback 


Showing 110 1 of records, No grouping v] tie v 


od ] Subscription == all Resource group == all X Location ==all X +p Add filter 


C] Name 7 Source... ^j OS type ^j Resource group Ty Location 7 


C auatys-war-Appliance-azure-| -m wat East US 


Don’t see the WAF image? Please contact your Technical Account Manager or our Support. 


2) Create the WAF VM. 
Click the WAF image, and then click Create VM. 


i Qualys-WAF-Appliance-azure-; T x 


|< BEGIN o conetoavimase M peee © Rees 


JSON View 


(IAM) 


EP Qualys-WAT-Agpliance-azure- prod. 1.C— *** 


Operating system Source blob URI Storage type Caching 


Linux Bh Standard HDD LRS Read/write 


LUN Source blob URI Storage type Caching 


14 


Microsoft Azure Configuration 
Deploy WAF on Azure 


Perform the 7 configuration steps from Basics to Review + create. In the Create a virtual 
machine page > Basic, enter the required information. 


All services > Images > Qualys-WAF-Appliance-azure- 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 


Create a virtual machine that runs Linux or Windows. Select an image from Azure marketplace or use your own customized 
image. Complete the Basics tab then Review + create to provision a virtual machine with default parameters or review each 
tab for full customization. Learn more c? 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources. 


Subscription *. © 


Resource group * © 
Create new 


Instance details 


Virtual machine name * © 


Region © (US) East US 


Availability options © No infrastructure redundancy required 


Security type © Standard 


Image* © Ii Qualys-WAF-Appliance-azure- 


See all images | Configure VM generation 


Azure Spot instance © go 


Size* © Standard_D2s_v3 - 2 vcpus, 8 GiB memory ($70.08/month) v 


See all sizes 


Administrator account 


o (n (0) SSH nuhlic kev 


Review + create 


< Previous Next : Disks > 
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Microsoft Azure Configuration 
Deploy WAF on Azure 


While creating a WAF VM, in the Create a virtual machine > Basic > Administrator account 
section, enter waf-user in the Username field. 


All services > Images > Qualys-WAF-Appliance-azure- 


Create a virtual machine 


ALUIE QPUL maae W Ll 

Size* © Standard D2s v3 - 2 vcpus, 8 GiB memory ($70.08/month) Vv 
See all sizes 

Authentication type © © SSH public key 
Q Password 


[i] Azure now automatically generates an SSH key pair for you and allows you to 
store it for future use. It is a fast, simple, and secure way to connect to your 
virtual machine. 


SSH public key source Use existing key stored in Azure v 


Stored Keys 


Inbound port rules 


Select which virtual machine network ports are accessible from the public internet. You can specify more limited or granular 
network access on the Networking tab. 


Public inbound ports * © Q None 
© Allow selected ports 


Select inbound ports * | SSH (22) v 


Å This will allow all IP addresses to access your virtual machine. This is only 
recommended for testing. Use the Advanced controls in the Networking tab 
to create rules to limit inbound traffic to known IP addresses. 
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Microsoft Azure Configuration 
Deploy WAF on Azure 


Complete the remaining configuration process, and click Create to create the instance. 
All services > Images > Qualys-WAF-Appliance-azure- 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 


Qualys-WAF-Appliance-azure-prod-1-Centos8 Standard D2s v3 
Image 2 vcpus, 8 GiB memory 


Basics 


Subscription 

Resource group 

Virtual machine name 

Region East US 

Availability options No infrastructure redundancy required 
Security type Standard 

Image Qualys-WAF-Appliance-azure-. 

Size Standard D2s v3 (2 vcpus, 8 GiB memory) 
Authentication type SSH public key 

Username waf-user 


Key pair name 


Azure Spot 


Disks 

OS disk type Standard SSD LRS 
Use managed disks Yes 

Delete OS disk with VM Enabled 
Ephemeral OS disk No 


Networking 


Create Download a template for automation 


Once the Azure instance deployment is complete, you will get the message as displayed in 
the following image. 
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Microsoft Azure Configuration 
Deploy WAF on Azure 


All services 


CreateVm-Qualys-WAF-Appliance-azure-, M| Overview * 
X 


Deployment 


ys] Bearch (Ctrl+/) « Ii Delete S incel iti Redeploy © Refresh 


& Overview . 

5 © Your deployment is complete 

GE Inputs 

Deployment name: CreateVm-Qualys-WAF-Appliance-azure-prod- Start time: 2/15/2022, 10:29:35 AM 
Subscription: "7 1 Correlation ID: 

Resource group: 


$- Outputs 
B Template 
v Deployment details (Download) 


^ Next steps 


Go to resource 


3) Once the VM is created, you get the ssh command to connect to the 
VM. 


For the new WAF Azure instance, click Connect > SSH. 


| ga -azure > - 


JD Search (Ctrl+/) « | =} Start Ç' Restart [] Stop Capture [i] Delete C) Refresh [ Openinmobile [A CLI/PS Av Feedback 


| EA Overview 
E Activity log RDP Operating system Linux (centos 8.1.1911) 
Access control UAM) Bastion 1 Size Standard D2s v3 (2 vepus, 8 GiB memory) 
x Location East US Public IP address 168.62 
ags 
Subscription (move) Virtual network/subnet 
@ Diagnose and solve problems 
Subscription ID DNS name Not configured 
| Settings Tags (edi) ‘owner 
| 


SB Networking 


Use the command provided in the example to connect to your Azure WAF appliance. 
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Microsoft Azure Configuration 
Deploy WAF on Azure 


a 
a 
^h 
9 


& 
gs 
e 
a 


All services 


S 


[2 Search ctii ^ 


Virtual machine 


Overview 
Activity log 
Access control (IAM) 


Tags 


@ Diagnose and solve problems 


Settings 


Networking 

Connect 

Disks 

Size 

Security 

Advisor recommendations 
Extensions + applications 
Continuous delivery 
Availability + scaling 
Configuration 


Identity 


ischnepp-azure 


` -azure | Connect 


Ay To improve security, enable just-in-time access on this VM. > 


RDP SSH Bastion 


Connect via SSH with client 
1. Open the client of your choice, e.g. PuTTY or other clients. 


2. Ensure you have read-only access to the private key. 


chmod 400 waf-user.pem 


3. Provide a path to your SSH private key file. © 
Private key path 


t» 


~/.ssh/waf-user 


E ssh -i <private key path> waf-user@ 168.62. 


Can't connect? 
& Test your connection 


@ Troubleshoot SSH connectivity issues 


How's it going? 


® Tellus about your connection experience 


Copy to clipboard 


w 


4) Register the appliance to Qualys Cloud Platform 


Connect to the WAF VM and using the CLI enter your WAF registration code and other 
properties as appropriate. See Set Up the Appliance using the CLI. 


That’s it! You’ve configured your WAF virtual appliance. Your WAF appliance will start 
making outbound connections to the Qualys Cloud Platform (HTTPS over TCP-443). 
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Google Cloud Configuration 
Deploy WAF on Google Cloud Platform 


Google Cloud Configuration 


Follow the steps below to deploy your WAF firewall on Google Cloud Platform (GCP). 


Once you complete these steps, we'll start monitoring your web application for security 
violations. Also your WAF appliance will start making outbound connections to the Qualys 
Cloud Platform for regular health checks - these confirm the appliance is properly 
configured and has the latest software. 


Deploy WAF on Google Cloud Platform 

1) Go to your GCP Dashboard and under Images find the Qualys WAF 
image. 

Click Images and then search for the WAF image. 

Tip Use the search box to find this quickly. Just enter "WAF" and click Enter. 


= Google Cloud Platform % M Q 


dar Compute Engine Images [+] CREATE IMAGE CG REFRESH 


= wat @ x Columns ~ 


Name Size Created by Family Creation time 


@ qualys-waf-appliance- 32 GB Jan 22, 2018, 11:27:46 AM 


Show deprecated images 


Meta 


Don't see the WAF image? Please contact your Technical Account Manager or our Support. 
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2) Create the WAF Instance 


Click the WAF image, and then click CREATE INSTANCE. 


€ Images W DELETE Él CREATE INSTANCE 


qualys-waf-appliance- 
Creation time 
Jan 22, 2018, 11:26:44 AM 


Encryption 
Automatic 


Equivalent REST 


Google Cloud Configuration 
Deploy WAF on Google Cloud Platform 


Provide the basic information, choose Machine type, and configure access and network 


settings for the instance. 


€ Create an instance 


Name 


instance-14 


Zone 


us-central1-b 


1vCPU X 3.75 GB memory 


Container 
Deploy a container image to this VM instance. Learn more 


Boot disk 


——h New32 GB standard persistent disk 
(o) Image 
qualys-waf-appliance 
Identity and API access 


Service account 
Compute Engine default service account 


Access scopes 

© Allow default access 
Allow full access to all Cloud APIs 
Set access for each API 


$25.55 per month 


Effective hourly 


Details 


Customize 


Change 
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Google Cloud Configuration 
Deploy WAF on Google Cloud Platform 


3) Register the appliance to Qualys Cloud Platform 


You can provide the WAF registration details while creating the instance or later once the 
instance is created. 


To provide WAF registration details during instance creation, enter the variable and values 
in the form of key value pairs in the Metadata section. 


Automation 


Startup script 


achine. Learn more 


Metadata 


e instance. Learn more 


+ Add item 


Availability policy 


Preemptibility 


To register a WAF appliance once the instance is created, connect to the WAF instance and 
using the CLI enter your WAF registration code and other properties as appropriate. See 
WAF registration parameters. 


That's it! You've configured your WAF virtual appliance. Your WAF appliance will start 
making outbound connections to the Qualys Cloud Platform (HTTPS over TCP-443). 
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Docker Configuration 


You can install the WAF appliance on a docker container. 


Docker Configuration 


Go to WAF Appliances > WAF Appliances, and click New WAF Appliance. Select an existing 


WAF cluster or create a new one. In the Add New WAF Appliance wi 


and click Continue to download the docker image file. 


Configure your WAF Appliance - Docker 


Ready to download the WAF appliance docker image? 


Be sure to allow the pop-up from our site (http://pfo01.p04.eng.sjc01-qualys.com:50202). This allows us to download the WAF appliance docker 
image to your local system. Many browsers prevent pop-ups from appearing automatically. You might need to allow this pop-up manually. 


Once docker image is downloaded, register WAF docker image into your registry using following command: 
$ docker load -input=/path/to/file/downloaded/waf-prodversion.image.tar.gz 


Verify that image is properly loaded into your registry: 
$ docker images 


Run a new container using Qualys WAF docker image: 
$ docker run -d --name container-name waf-prod:xxxxxx 
70efe87be9586787d4bb6b20caf74e38eebe11088a7526c4d1b81edf889a65ff 


Run WAF CLI shell in order to setup configuration or diagnose WAF services: 
$ docker exec -ti container-name waf-shell 


Click here if the download process has not started 


Add New WAF Appliance x 


Cancel Previous } 


zard, select Docker 


Refer to the onscreen instructions to create a container from the docker image. Click 
Continue to get the registration code of the cluster to register the WAF appliance to. See 
CLI Reference for information on registering the WAF appliance through CLI. 


Ensure that the docker container has proper network connectivity for WAF appliance to 
communicate and register with the Qualys Cloud Platform (WAF_SERVICE_URL) in order 


to start sending WAF events. 
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CLI Reference 


CLI Reference 
Commands 


The command line interface is used to set up the WAF appliance. Commands and 
Variables are described below. 


Commands 

Command Description 

help List all commands or give detailed help for a specific command. For 
more information about a command, type help followed by the 
command. 

deregister De-registers the sensor from its cluster and shutdown. 


diag [details] 


Simple diagnostic tool (nslookup, perfstat, fetchurl, ssl). 


Example to forge a specific servername value (SNI): 
diag ssl www.domain.com:443 "foo.domain.com" 


Example to forge a specific host header value: 
diag fetchurl https://servername.domain.com "Host: 
foo.domain.com" 


exit Exit the CLI. The user will be prompted if there are unsaved 
changes. 

ifconfig Show the current interface configuration. 

network Configure the network interface, i.e. add, change, delete network 
route, and set nameservers to be used. 

passwd Change the password for user waf-user. 

reboot Reboot the WAF cluster. 

routes Show network routing. 

save Save the current configuration. 


set variable=(value} 


Set a key value for configuration. 


setup 


Helps you set up properties by prompting for registration code, WAF 
service URL, proxy URL and SSL passphrase. 


show [details] 


Show the current saved and unsaved settings. Show details will 
include settings from the virtualization platform. 


shutdown Shutdown the WAF sensor. 

ssh Configure the public ssh keys, i.e. add, delete, list. 

status Display the registration status of the WAF cluster. 

sysinfo Display system information. 

viewlog [n] View the last N lines of the WAF cluster log. 

waf Manage the WAF process, i.e. start, stop, restart, reconfigure, get 


status. 
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Command 


CLI Reference 
Commands 


Description 


unset variable 


Clear the value for a variable. 


ca 


Add, 


Delete or List CA certificates. 


core [status|enable|disable] 


Enab 


e or disable generating the core dump file upon crash. By 


default core is enabled. 
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Variables 


Variable 


CLI Reference 
Variables 


Description 


waf_service_url 


Required) The URL of the Qualys Cloud Platform hosting your 
Qualys account. Supported platform URLs are: 


US Platform 1 https://rns.qualys.com 

US Platform 2 https://rns.qg2.apps.qualys.com 
US Platform 3 https://rns.qg3.apps.qualys.com 
EU Platform 1 https://rns.qualys.eu 

EU Platform 2 https://rns.qg2.apps.qualys.eu 
India Platform 1 https://rns.gqg1.apps.qualys.in 


registration code 


Required) Enter the WAF registration code in this format: 
registration code-your. code. You can find this code by going to the 
WAF clusters list (WAF Appliances » WAF Clusters). 


proxy ud 


(Required if a proxy is required for the WAF cluster to access the 
Qualys Cloud Platform) If the WAF needs to connect to the Qualys 
Cloud Platform through an HTTP proxy, please input the URL of the 
proxy. Enter the proxy URL in this format: proxy. url-proxy uil 


waf ssl passphrase 


(Required if the appliance protects a site communicating over SSL) 
If your web application's primary or secondary base URL uses the 
HTTPS protocol, the Qualys Cloud Platform portal protects the 
private key by encrypting it with a 64 byte dedicated passphrase. 
This way, it's not accessible in clear on the Qualys Platform. This 
waf ssl passphrase needs to be set on the appliance, for decrypting 
the key. Enter the passphrase in this format: 

waf ssl passphrase-passphrase 


sem, syslog addr 


The Security Event Manager to send transaction logs via syslog to. 
The syslog messages will be formatted as described in RFC5424. 


Syntax: PROTOCOL: HOSTNAME : PORT 


where PROTOCOL is “tcp” or “udp”, and PORT is standard syslog 
port 514 by default 


Example: TCP: sysloghost.example.com:514 
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Contact Support 


Contact Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 
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